Blockchain Incompatible with GDPR?

Blockchain is aimed to enable a digital decentralized society where people can contribute, collaborate, and transact without having to second-guess trust and transparency. Blockchain-projects to operate in EU is supposed to comply with GPDR, a regulation in EU law on data protection and privacy for all individual citizens of the EU and the European Economic Area.

However, it remains unclear as to how this compliance is understood. A recent article of Harvard’s Berkman Klein Center for Internet and Society provides a view on this matter, arguing that blockchain is really incompatible with GDPR. Elizabeth M. Renieris, its author, is the founder of hackylawyER, an innovative consultancy focused on law and policy engineering.

Renieris argues that most existing projects rely on “consent” but do not effectively address the mechanism for obtaining adequate informed consent or its revocable nature. These projects cannot answer the question: what is the “lawful basis” for writing data to the ledger in the first place?

She goes further by saying that the blockchain violates other core principles of GDPR. On the principle of purpose limitation, personal data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes. Given the automatic replication of data across all nodes in a network, it is hard to argue that data is not “further processed” beyond actually writing a given transaction to the ledger. Also, the automatic replication of data across all nodes in a ledger is an automatic violation of the data minimization principle. This is not to mention that the design that a blockchain is meant to be a permanent and immutable digital record is inherently at odds with the storage limitation principle.

Renieris’ arguments are useful to the assessment of the compatibility (or incompatibility) of blockchain and the GDPR. Protection of user privacy seems a never-ending debate.